hswaw
/
hscloud
mirror of https://gerrit.hackerspace.pl/hscloud
4
0
Fork 2
Code Actions
502 Commits
2 Branches
0 Tags
55 MiB
Commit Graph

23 Commits (f3312ef77ed0db94e20944efc6395750072f54d5)

Author SHA1 Message Date
q3k 91e1a8c9c5 devtools: add sourcegraph 
Change-Id: Ic3c40768c761e598e0f42b17a4b9f0d4ebcb2bb2
 2020-06-25 12:27:34 +02:00
q3k e3432ee775 kube/policies: implement mostlysecure 
Change-Id: I0f5dc29f9fc3ad534ddda766a79bb18e64757a6c
 2020-05-11 20:17:11 +02:00
q3k d436de2010 cluster/rook: bump to 1.1.9 
This bumps Rook/Ceph. The new resources (mostly RBAC) come from
following https://rook.io/docs/rook/v1.1/ceph-upgrade.html .

It's already deployed on production. The new CSI driver has not been
tested, but the old flexvolume-based provisioners still work. We'll
migrate when Rook offers a nice solution for this.

We've hit a kubecfg bug that does not allow controlling the CephCluster
CRD directly anymore (I had to apply it via kubecfg show / kubectl apply
-f instead). This might be due to our bazel/prod k8s version mismatch,
or it might be related to https://github.com/bitnami/kubecfg/issues/259.

Change-Id: Icd69974b294b823e60b8619a656d4834bd6520fd
 2020-05-02 23:30:52 +02:00
q3k 006c1bf8f3 *: add more OWNERS 
Change-Id: If2740a0aaee845160b38b8ea0b23fea7bab3bded
 2020-04-13 01:46:15 +02:00
q3k 74818e155c hswaw/kube: add pretalx 
Change-Id: Ia7512aa988022c3c7fd89f81927fbad03f933cf1
 2020-02-18 22:56:21 +01:00
q3k 114edc2398 kube/mirko: add kube.CephObjectStoreUser 
Change-Id: I2a67076eeaf41ada41f5ae3ee588025e4c16b9e1
 2020-02-18 22:55:13 +01:00
q3k f8b4cd7b06 kube/redis: run as unprivileged user 
Change-Id: If117384748cb6d06097742329095ae8936ed001c
 2020-02-15 12:39:35 +01:00
q3k c622a19d36 kube/postgres: run bouncer 
Change-Id: Id85cf1f32f8d41bf909dae380c4a5b3351cac29b
 2020-02-15 12:39:14 +01:00
q3k aa8c2b0cca kube/mirko: allow specifying securityContext 
Change-Id: Iebafd6b1480ed1e1c1f3cf83361376987720766e
 2020-02-15 12:38:39 +01:00
q3k a2ee865a0c postgres: run unprivilged 
Change-Id: I8d7e92093c0df91b6cd601a4d8e2484fca97ee88
 2020-01-22 21:48:48 +01:00
q3k 92b48d6216 {matrix,lelegram}: pin to bc01n0{1,2}.hswaw.net 
Only these nodes (and bc01n03( are #blesed by freenode.

In the future we should fix this by having custom node labels for
blessed nodes. But this will do for now.

Change-Id: Ia5d7cfcb9329da0de8d596ed40b20b0e0f286f43
 2020-01-08 13:59:04 +01:00
q3k c33ebcc79f cluster: add ceph-waw3, move metallb to bgp 
Change-Id: Iebf369f9a02e44be163ef4afc2e0f23c4b009898
 2019-11-01 18:43:45 +01:00
q3k 6f773e0004 smsgw: productionize, implement kube/mirko 
This productionizes smsgw.

We also add some jsonnet machinery to provide a unified service for Go
micro/mirkoservices.

This machinery provides all the nice stuff:
 - a deployment
 - a service for all your types of pots
 - TLS certificates for HSPKI

We also update and test hspki for a new name scheme.

Change-Id: I292d00f858144903cbc8fe0c1c26eb1180d636bc
 2019-10-04 13:52:34 +02:00
q3k e31d64f265 kube: move cert-manager resources to kube.local.libsonnet 
This way kubernetes consumers don't have to import anything from
cluster/, hopefully.

We also create a small abstraction for local additions for
kube.libsonnet without having to modify upstream.

Change-Id: I209095781f91c8867250a647fe944370cddd67d0
 2019-10-02 21:03:13 +02:00
q3k b13b7ffcdb prod{access,vider}: implement 
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
 2019-08-30 23:08:18 +02:00
q3k d07861b7df ceph-waw1 -> ceph-waw2 
Change-Id: I03d6244b9697a9efc06492114ef90cdb01e17601
 2019-08-08 17:49:31 +02:00
q3k 3c117fa841 make cockroachdb into a cluster service 2019-06-20 16:43:01 +02:00
Patryk Jakuszew fae3a9d514 add grace period for client pod, rename volume mounts 2019-06-20 16:43:01 +02:00
Patryk Jakuszew 5dfd4cc799 initial commit of cockroachdb.libsonnet 2019-06-20 16:43:01 +02:00
q3k c3b0f7627c cluster/kube: set operator replicas to 0 2019-06-20 16:42:19 +02:00
q3k 6916f7e244 app/toot: start implementing redis 2019-04-04 16:54:00 +02:00
q3k 5f2dc8530d toot: wip 2019-04-02 02:36:22 +02:00
q3k 4d9e72cb8c cluster/kube: init 2019-01-13 22:06:33 +01:00